SB 1386 and the Compliance Code of Practice

California Senate Bill 1386 (SB-1386 / SB 1386), also known as the California Security Breach Information Act, is a Californian State law which came into effect on July 1^st 2003. It has specific and restrictive privacy breach reporting requirements. SB 1386 requires companies that collect and hold personal information on Californian residents –whether customers, employees, or individuals involved in some facet of the business - to notify immediately each person on their database should an information security breach occur OR if one is suspected. (Encrypted data is excluded from this requirement)

SB 1386 is applicable to all organizations - state government agencies and nonprofit organizations, as well as companies of all sizes, regardless of geographic location, that hold personal data on persons living in California. SB 1386 requires these organizations to disclose any unauthorized access of computerized data files containing personal information such as:

Social Security number,
Driver's license number,
Bank account number,
Credit or debit card number,
Security code or password for accessing their financial account.

SB 1386 gives consumers the right to sue businesses in civil court for damages incurred through the compromise of such information. The costs and penalties of civil litigation, coupled with a tarnished public image, can cause untold long-term damage to the organization.

WHO IS AFFECTED BY SB-1386?

• Companies that have even one customer or employee in California, where that data is held on a database.
• Outsourcing (offshore or not) companies that are doing work for a company with customers or employees in California.
• Companies that store data for companies that collect information on California residents.

What are the SB 1386 compliance requirements?

In a compliance environment that contains overlapping, inconsistent, sometimes untested and often contradictory laws and regulations, organizations must increasingly turn to best practice solutions that will simultaneously combat their real-world information security threats while helping them meet regulatory requirements.

The Solution

Businesses should perform regular security analysis of their applications to understand their risk of exposure. As stated in SB 1386, implementation of the standard ISO/IEC 27002 (previously ISO IEC 17799) will enable an organization to fully meet the requirements laid out in SB1386. ISO/IEC 27002:2005 is a best practice standard for compliance with SB 1386; it establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.

IT Governance Ltd provides a tailored toolkit to help organizations comply with SB1386, mitigating the potential negative impact of a data breach. Based on the internationally recognized ISO 27000 Information Security Management series, this toolkit provides the dual features of ‘ease of use’ and comprehensiveness, allowing the user the satisfaction that they are meeting the SB 1386 requirements.

Full text of SB 1386 text can be found at http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

IT Governance Ltd is able to offer you a range of products which will help you use these best practice standards to ensure your organization fully complies with SB 1386.

Step 1:

Purchase a copy of ISO27002: http://www.27001.com/catalog/11

Step 2:

Purchase an implementation manual such as

Step 3:

Purchase our SB 1386 Compliance toolkit to make the whole process as quick and as painless as possible

FAQS

Our SB 1386 compliance FAQs are packed with useful information.
Sign up here!

Email box to subscribe for FAQS

Links

Full text of the Bill at http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

Recommendations for Notice of a Security Breach - http://www.oispp.ca.gov/consumer_privacy/pdf/secbreach.pdf